How to use TL-WR703N as VPN router

Sat, 28/09/2013 - 22:04 -- Remiguel

The Apple TV2 doesn't support VPN. One solution is to use a router with VPN support. Our small router bought for less than 20 €, doesn't support OpenVPN, due to its 4 Mbytes flash memory, but supports the PPTP protocol. It is not the best protocol in term of security, but it is faster because of less CPU usage for encryption.

Installation overview

What I want to do is to connect the ATV to the WR703N by Wifi. The WR703N will be attached to the router by ethernet cable, to get internet access. The WR703N router will be configured with a VPN service.

Zone Configuration for the WR703N

I don't know if my approach is the correct one, but it works. I have configured, additionally to the existing zones (Lan & Wan) a new zone called Vpn. These areas do not communicate with each other. I will allow traffic with the OpenWRT firewall.

Wan area will receive an interface with static address without DHCP and will be attached to the router via ethernet cable. The area Vpn will host a PPTP interface. We will assign a static interface and a wireless interface both bridged (ATV will communicate by wifi) to the Lan zone.
At the beginning of my tests, I left DHCP distribution on the Lan static interface. It works but the router and vpn tunnel were unstable. I suspect DHCP of the main router enter sometime in conflict with this one.

Installation of the pptp package.

Two methods:

By LuCI
Go to tab "Software" in the "System"menu
Click on update

Once updated, please lookupppp-mod-pptp
and click on "install"

By ssh
Copy these two lines one after the other followed by enteropkg update
opkg install ppp-mod-pptp

Three zones configuration and their interfaces

Wan Zone

Wan interface is configured with a static address within the range of the IP router. The gateway should be the address of the main router. We don't need DHCP distribution, so we turn it off (Disable).

Go to "Firewall Setting" tab, and assign this interface to the Wan zone.

In the "Physical Settings" tab, check that the adapter is eth0 and disable the bridge between interfaces.

Vpn Zone

Add a PPTP interface in the Vpn zone.
In "General Setup" fill out the vpn parameters from your supplier.

Go to the "Firewall Setting" tab to assign this interface to the Vpn zone.
I have done my test with a free Vpn service. Once the configuration was working, I switched to a paid service, to get benefit of a quality vpn tunnel.

If the data and passwords are correct you can see data transmissions RX and TX. The firewall is not yet configured, so do not expect any internet traffic.

Lan Zone

Create a static interface (optionally with DHCP distribution). I called it "virt". This AP will be out of the main net. We will assign a static address with a range out of the main router address eg. 192.168.2.1. Netmask should be 255.255.255.0
I start with DHCP distribution. After some test I left the checkbox checked to disable it. I have assigned a static IP to my ATV. The connection is much more stable now.

In the "Physical Settings" tab check the "create a bridge..." to insure direct traffic communication between the "virt" interface and wifi.

Go to Wifi and assign this interface to Lan zone.

Once finished, click on Network, you should have something like this:

Firewall configuration

In General Settings set Input, Output and Forward to "Reject" (by default, no traffic go in, neither out of the router. No traffic between zones).

Now we can configure each zone:
We have to set the Lan zone to communicate only with Vpn zone and the Vpn only with the Wan zone. In that way we ensure that all the Wifi traffic will go through the VPN tunnel.

For security reasons, I set "reject" traffic from Wan to the other zones.
I left Wan input to "accept" in order to access the router from ethernet port.

Really important, check Masquerading and MSS clamping. Without this, no packets will go out and reach the main router

In Traffic Rules tab verify that the existing rules are correctly declared.
Default setting is set to receive traffic from Lan and to send it to the Wan zone. Leave it as it is.

We should open, for both Lan and vpn zones, port 53 for TCP, UDP and ports 67-68 for the UDP protocol.
Also do not forget to open port 1723 for PPTP. I have done nothing for the GRE protocol.

Save the changes and reboot the WR703N.

If all go well, all traffic from the wireless access point will go through the VPN tunnel. To check it, connect a PC to the Wifi of the WR703N and do a search for your IP localization with "My IP"service for example. If we are located in the country where we have subscribed the VPN service, perfect . Otherwise we have to check all, with the corresponding pings.

Troubleshot

The WR703N reboot randomly. Using an 1A Power supply the issue has gone.

Each time I make changes with LuCI and save them, the WR703N is rebooting. Disabling DHCP in the WR703N and with the 1A Power supply, the router is more stable.